It’s important to be aware of data protection legislation across the globe so that non-profits are familiar with requirements. If nothing else, these requirements tend to become the norm and therefore shape the expectations of your donors and supporters.
The CCPA applies to “businesses.” The Act defines that term to include any legal entity (e.g., corporations, associations, partnerships, etc.) that is “organized or operated for the profit or financial benefit of its shareholders or other owners.”1 This accords with the fact that non-profits are exempt from many of the data privacy and security regulations within the United States – in particular, they are largely exempt from enforcement by the Federal Trade Commission, and, therefore, are exempt from compliance with the rules, regulations, and guidance of the Federal Trade Commission to the extent that such rules, regulations, or guidance are not incorporated in state laws that do apply to the non-profit.
In comparison, the European GDPR does not contain any exemptions for non-profit organizations.
So, unless your non-profit has a commercial branch or deals in selling data lists, CCPA does not apply. GDPR, however, does – if you are dealing with citizens of the European Union.